Primary

Context

Bagisto Cross-Site Scripting Vulnerability in Custom Scripts Handler

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Bagisto versions through 2.3.15. The issue arises in the Custom Scripts Handler component, where the application fails to properly sanitize user input before rendering it. This allows authenticated low-privileged administrative users to inject arbitrary JavaScript, which is then executed in the browsers of users visiting the affected pages. The vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authenticated low-privileged admin user can navigate to the Custom Scripts configuration feature. Once there, the user can inject a JavaScript payload into the Custom Scripts field. After saving the configuration, the injected script will execute automatically in the browsers of users accessing the affected pages.

Added: Apr 21, 2026, 7:21 PM

Updated: Apr 21, 2026, 7:21 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

0.0

relevance

6.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

0.0

relevance

6.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Bagisto Cross-Site Scripting Vulnerability in Custom Scripts Handler

Vulnerability

Impact

Reproduction

Affected Products

Bagisto

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating